diff --git a/docs/operations/ci/adding_cico_tenant/adding-duffy-api-key.md b/docs/operations/ci/adding_cico_tenant/adding-duffy-api-key.md
index a65edb0..7a3dc69 100644
--- a/docs/operations/ci/adding_cico_tenant/adding-duffy-api-key.md
+++ b/docs/operations/ci/adding_cico_tenant/adding-duffy-api-key.md
@@ -79,9 +79,24 @@ MariaDB [duffy]> describe users;
 ```
 
 ## Steps to create a new duffy SSH key
-1. On the home directory of user duffy on the admin.ci.centos.org instance, we have a folder where we store the created ssh keys for duffy tenants.
-2. `mkdir -p keys/<project-name>/` then `ssh-keygen -f ~duffy/keys/<project-name>/id_rsa -C <project-name>@CI`
-3. Copy the public key
+
+!!! note
+    we'll start using the `pkistore` git-crypted git repo for this, so be sure to have that under git control
+
+We'll just create the new ssh keypair directly into the pkistore repository :
+
+```
+project="samba"
+ssh-keygen -f ocp/ssh/${project} -C ${project}@CI
+
+```
+
+!!! important
+    Don't forget to add and git commit && git push new keys in pkistore/ocp/ssh repo
+
+
+This will create both private and public ssh keys, and  you can now copy the public key to be inserted into Duffy DB
+
 
 ## Steps to create a new duffy API key
 
@@ -104,5 +119,3 @@ insert into userkeys (project_id,`key`) values(<project-UUID-var>, <ssh-key-var>
 
 This ssh key is pushed to duffy nodes - authorized keys when a tenant requests the node through api key.
 
-NOTE: we need to copy private key (pair of key just added in db), and paste it
-in openshift jenkins template (so copy it to save the trouble later)
diff --git a/docs/operations/ci/adding_cico_tenant/adding_cico_tenants.md b/docs/operations/ci/adding_cico_tenant/adding_cico_tenants.md
index 716c138..e53fbe3 100644
--- a/docs/operations/ci/adding_cico_tenant/adding_cico_tenants.md
+++ b/docs/operations/ci/adding_cico_tenant/adding_cico_tenants.md
@@ -27,47 +27,81 @@ Project_members:
 ```
 
 ## Steps
-1. Create an OpenShift namespace
-2. Create an entry in duffy db (with ssh key) - follow adding-duffy-api-key.md
-3. Create a PV(Persistent Volume) for Jenkins instance
-4. Instantiate a template to provision Jenkins
+
+1. Create an entry in duffy db (with ssh key) - [follow adding-duffy-api-key.md](/operations/ci/adding_cico_tenant/adding    -duffy-api-key/)
+2. Create an OpenShift namespace/project (done with ansible)
+3. Create a PV(Persistent Volume) and deploy Jenkins instance (done with ansible)
+
+## Create an entry in duffy db (with ssh key) - [follow adding-duffy-api-key.md](/operations/ci/adding_cico_tenant/adding-duffy-api-key/)
 
 
 ### Create an OpenShift namespace
 
-Using the data provided by tenant (i.e. Project name and its admins), create an yaml file to be passed to ansible-playbook (example above).
+!!! important 
+    we don't use the previous specific git repo for projects, as it's now all using the `ocp-admin` ansible role, see below
+
+To create the openshift namespace/project, just add edit the inventory/host_vars/<ocp_controller_node> and add the new project to the existin `ocp_projects_list` ansible list.
+
+Example:
+
+```
+# Declaring projects that will be created in ocp.ci
+ocp_projects_list:
+  - name: ci-infra-test
+    members:
+      - ci-user1@centos.org
+      - ci-user2@centos.org
+
+```
+
+Once done, don't forget to commit/push and you can also play that role directly with a specific tag.
+
+```
+ansible-playbook playbooks/role-ocp-admin-node.yml --tags "projects"
+
+PLAY [hostgroup-role-ocp-admin-node] *****************************************************************************
+
+TASK [ocp-admin-node : Rendering template for projects] **********************************************************
+Tuesday 21 December 2021  09:20:42 +0100 (0:00:00.116)       0:00:00.116 ****** 
+ok: [ocp-admin.ci.centos.org] => (item=ci-infra-test)
+changed: [ocp-admin.ci.centos.org] => (item=samba)
 
-Store it in the (private) [projects directory](https://github.com/centosci/projects) to and push it to git
+TASK [ocp-admin-node : Creating/modifying project if needed] *****************************************************
+Tuesday 21 December 2021  09:20:47 +0100 (0:00:05.123)       0:00:05.240 ****** 
+skipping: [ocp-admin.ci.centos.org] => (item=ci-infra-test) 
+changed: [ocp-admin.ci.centos.org] => (item=samba)
 
-Use playbook (adhoc-openshift-resources.yaml)[https://github.com/CentOS/ansible-infra-playbooks/blob/staging/adhoc-openshift-resources.yaml] with variables `host=openshift-ci-management` and `the file containing project name and admins`
+PLAY RECAP *******************************************************************************************************
+ocp-admin.ci.centos.org    : ok=2    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
 
-Example: "ansible-playbook playbooks/adhoc-openshift-resources.yaml -e "host=ocp-ci-management" -e "@important_project.yaml""
+Tuesday 21 December 2021  09:20:48 +0100 (0:00:01.075)       0:00:06.316 ****** 
+```
 
 !!! note
     If you need to also modify members and/or email addresses, you can just follow the same process and replay the same playbook : that will reflect changes in openshift. If you need access to that private git repository (to be fixed and moved elsewhere in the official `centos` namespace, reach out to another infra team member
 
 
-## Create an entry in duffy db (with ssh key) - [follow adding-duffy-api-key.md](/operations/ci/adding_cico_tenant/adding-duffy-api-key/)
+## Deploy a PV (Persistent Volume) and Jenkins instance
 
-## Create a PV(Persistent Volume) for Jenkins instance
+!!! note
+    In case you just need to create a PV *outside* of jenkins, follow [Persistent storage via NFS](https://docs.infra.centos.org/operations/ci/installation/persistant_storage_nfs/). 
 
-The default PV size for Jenkins instance is 10Gi. If a volume of a different size is created it will need to be reflected in the next section
+We have an ad-hoc ansible task (adhoc-ocp-deploy-jenkins-for-ci-tenant.yml) that will create the needed PV , create a template and apply it with the correct ssh keys and duffy api key so ensure that you followed previous steps so that you have the project keys into pkistore git repo (using project name) and also duffy api key ready (as script will ask you for it):
 
-To create the PV follow [Persistent storage via NFS](https://docs.infra.centos.org/operations/ci/installation/persistant_storage_nfs/). The host will be `ocp-ci-management`
+```
+ansible-playbook-ci playbooks/adhoc-ocp-deploy-jenkins-for-ci-tenant.yml
+```
 
+Just answer the following questions (project has to exist first ! :
 
-## Instantiate a template to provision Jenkins
-* Login to openshift
-* Ensure you are in Developer mode and select +Add from the menu
-* At the top select the Project cico-templates from the dropdown
-* Under the Developer Catalog section select All Services
-* Enter cico-workspace in the search field you will see a template 
-  called "cico-workspace: provided by The CentOS Project"
-* Click the template to start instantiation process.
-  * Select the namespace we want to run Jenkins in (In Namespace variable)
-  * Enter appropriate Memory limit and volume capacity (for Jenkins, we prefer 3Gi and 10Gi respectively)
-  * Enter duffy API key for the project and SSH private key whose public pair is in duffy db.
+```
+Existing project/namespace in ocp we'll deploy jenkins to/for (has to exist before !) : samba
+Persistent Volume size (example 10Gi) : 10Gi
+Existing Duffy API key : <duffy_api_key>
+
+```
 
-Click create to instantiate the project.
+Now you just have to wait for jenkins to be up and running 
 
-Admin's hack: Increase timeout in deployment config to counter our slow storage timeout issue.
+!!! important
+    We recently had an issue with the default jenkins image having outdated (and not working) [openshift sync plugin](https://plugins.jenkins.io/openshift-sync/) so be sure that you have at least 1.0.51 running in openshift. If not, update it first, and then configmap will be synced to jenkins, for the `cico-workspace` pod template
diff --git a/docs/security/tls.md b/docs/security/tls.md
index 66b8ce4..994cd74 100644
--- a/docs/security/tls.md
+++ b/docs/security/tls.md
@@ -248,7 +248,7 @@ You can still "force" the playbook execution if you want, from ansible bot host 
 There is no dedicated ansible host/management station for ci infra (yet) so you have to run it yourself.
 Once you have pushed the renewed certs (through git-crypted pkistore git repo), you can just apply with :
 ```
-for role in haproxy ocp-admin-nodei jenkins-server ; do
+for role in haproxy ocp-admin-node jenkins-server ; do
   ansible-playbook playbooks/role-${role}.yml --tags "tls,pki,certs"
 done
 ```